Migrating Configuration Data Manually

Directory Server 5 configuration is specified in the file serverRoot/slapd-serverID/config/dse.ldif. Directory Server 6.1 configuration
is specified in the file instance-path/config/dse.ldif.

If you are migrating from 5.1, you must migrate the configuration
files manually. The easiest way to do this is to run the migrateInstance5 migration script to produce a 5.2 configuration, and then
to migrate the 5.2 configuration using dsmig. For
information on using migrateInstance5, see the Directory Server 5.2 2005Q1 Installation and Migration Guide.
For information on using dsmig to migrate the configuration,
see Using dsmig to Migrate Configuration Data.

The following section describes the specific configuration attributes
that must be migrated from the old instance to the new instance.

Migration of Specific Configuration Attributes

The values of the following attribute types must be migrated.

Global Configuration Attributes

The implementation of global scope ACIs requires all ACIs specific
to the rootDSE to have a targetscope field,
with a value of base (targetscope=”base”). ACIs held in the rootDSE are specific
to each Directory Server instance and are not replicated. Therefore
there should be no incompatibility problems when running a Directory Server 6.1
server in a topology containing servers of previous versions. For
more information about the changes made with regard to ACI scope,
see Changes to ACIs.

In addition to the ACI change, the following attributes under cn=config must be migrated:

Security Configuration Attributes

All attributes under "cn=encryption,cn=config" must
be migrated.

If you are using certificate authentication or the secure port,
the key file path and certificate database file path under "cn=encryption,cn=config" must be updated. The values of the following attributes
must be migrated:

nsKeyfile
nsCertfile

Feature Configuration Attributes

The values of the aci attributes under "cn=features,cn=config" must be migrated.

In addition, the values of all identity mapping attributes must
be migrated.

Mapping Tree Configuration Attributes

All entries under "cn=mapping tree,cn=config" must
be migrated.

The Netscape Root database has been deprecated in Directory Server 6.1.
If your old instance made specific use of the Netscape Root database,
the attributes under o=netscaperoot must be migrated.
Otherwise, they can be ignored.

Replication Configuration Attributes

Before migrating replication configuration attributes, ensure
that there are no pending changes to be replicated. You can use the insync command to do this.

In addition to the configuration attributes, all entries under cn=replication,cn=config must be migrated. You must manually
update the host and port on all replication agreements to the new
instance, as well as the path to the change log database (nsslapd-changelogdir).

The following sections list the replication configuration attributes
that must be migrated:

Change Log Attributes

Table 3–1 Change Log Attribute Name
Changes

Old Attribute Name

Directory Server 6.1 Attribute Name

nsslapd-changelogmaxage

dschangelogmaxage

nsslapd-changelogmaxentries

dschangelogmaxentries

In addition, these attributes must be moved from cn=changelog5,cn=config to cn=replica,cn=suffixname,cn=mapping tree,cn=config entries (for each suffix name).

Fractional Replication Configuration
Attributes

If your topology uses fractional replication, the following
attribute names must be changed.

Table 3–2 Fractional Replication Attribute
Name Changes

Old Attribute Name

Directory Server 6.1Attribute Name

dsFilterSPType == fractional_include

dsReplFractionalInclude

dsFilterSPType == fractional_exclude

dsReplFractionalExclude

Replica Configuration Attributes

The values of the following replica configuration attributes
must be migrated:

Directory Server 6.1 introduces the new pwdPolicy object class. The attributes of this object class
replace the old password policy attributes. For a description of these
new attributes see the pwdPolicy(5dsoc) man page.

By default, the new password policy is backward compatible with
the old password policy. However, because backward compatibility is
not guaranteed indefinitely, you should migrate to the new password
policy as soon as is convenient for your deployment. For information
about password policy compatibility, see Password Policy Compatibility.

While Directory Server 6.1 automatically manages coexistence
between new and old password policies and entry operational attributes
during migration and subsequent operations, you need to migrate any
applications that refer to the old password policy attributes. The
following table provides a mapping of the legacy password policy configuration
attributes to the new attributes.

If your deployment uses the NetscapeRoot suffix,
you must migrate the attributes under cn=netscapeRoot,cn=ldbm
database,cn=plugins,cn=config. You must also replace the
database location (nsslapd-directory) with the
location of the new Directory Server 6 instance.

All default index configuration attributes must be migrated,
except for system indexes. Default index configuration attributes
are stored in the entry cn=default indexes,cn=ldbm database,cn=plugins,cn=config. Indexes for the NetscapeRoot database
do not need to be migrated.

Chained Suffix Attributes

All chained suffix configuration attributes must be migrated.
The following configuration attributes are common to all chained suffixes.
These attributes are stored in the entry cn=config,cn=chaining
database,cn=plugins,cn=config.

nsActivechainingComponents
nsTransmittedControls

The following configuration attributes apply to a default instance
of a chained suffix. These attributes are stored in the entry cn=default
instance config, cn=chaining database,cn=plugins,cn=config.